Browse Source

Issue: 50860 - Port Password Policy test cases from TET to python3 part1

CI test - Port Password Policy test cases from TET to python3 part1

Relates: https://pagure.io/389-ds-base/issue/50860

Author: aborah

Reviewed by: Simon Pichugin, Viktor Ashirov
tags/debian/1.4.4.3-1
Anuj Borah 9 months ago
parent
commit
1befe92973
1 changed files with 619 additions and 0 deletions
  1. +619
    -0
      dirsrvtests/tests/suites/password/password_policy_test.py

+ 619
- 0
dirsrvtests/tests/suites/password/password_policy_test.py View File

@@ -0,0 +1,619 @@
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2020 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ---

"""
This test script will test password policy.
"""

import os
import pytest
from lib389.topologies import topology_st as topo
from lib389.idm.organizationalunit import OrganizationalUnits
from lib389.idm.user import UserAccounts, UserAccount
from lib389._constants import DEFAULT_SUFFIX
from lib389.pwpolicy import PwPolicyManager
import ldap


pytestmark = pytest.mark.tier1


def create_user(topo, uid, cn, sn, givenname, userpasseord, gid, ou):
"""
Will create user
"""
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=ou).create(properties={
'uid': uid,
'cn': cn,
'sn': sn,
'givenname': givenname,
'mail': f'{uid}@example.com',
'userpassword': userpasseord,
'homeDirectory': f'/home/{uid}',
'uidNumber': gid,
'gidNumber': gid
})
return user


@pytest.fixture(scope="module")
def _policy_setup(topo):
"""
Will do pretest setup.
"""
for suffix, ou in [(DEFAULT_SUFFIX, 'dirsec'), (f'ou=people,{DEFAULT_SUFFIX}', 'others')]:
OrganizationalUnits(topo.standalone, suffix).create(properties={
'ou': ou
})
for uid, cn, sn, givenname, userpasseord, gid, ou in [
('dbyers', 'Danny Byers', 'Byers', 'Danny', 'dby3rs1', '10001', 'ou=dirsec'),
('orla', 'Orla Hegarty', 'Hegarty', 'Orla', '000rla1', '10002', 'ou=dirsec'),
('joe', 'Joe Rath', 'Rath', 'Joe', '00j0e1', '10003', 'ou=people'),
('jack', 'Jack Rath', 'Rath', 'Jack', '00j6ck1', '10004', 'ou=people'),
('fred', 'Fred Byers', 'Byers', 'Fred', '00fr3d1', '10005', None),
('deep', 'Deep Blue', 'Blue', 'Deep', '00de3p1', '10006', 'ou=others, ou=people'),
('accntlusr', 'AccountControl User', 'ControlUser', 'Account', 'AcControl123', '10007', 'ou=dirsec'),
('nocntlusr', 'NoAccountControl User', 'ControlUser', 'NoAccount', 'NoControl123', '10008', 'ou=dirsec')
]:
create_user(topo, uid, cn, sn, givenname, userpasseord, gid, ou)
policy_props = {'passwordexp': 'off',
'passwordchange': 'off',
'passwordmustchange': 'off',
'passwordchecksyntax': 'off',
'passwordinhistory': '6',
'passwordhistory': 'off',
'passwordlockout': 'off',
'passwordlockoutduration': '3600',
'passwordmaxage': '8640000',
'passwordmaxfailure': '3',
'passwordminage': '0',
'passwordminlength': '6',
'passwordresetfailurecount': '600',
'passwordunlock': 'on',
'passwordStorageScheme': 'CLEAR',
'passwordwarning': '86400'
}
pwp = PwPolicyManager(topo.standalone)
for dn_dn in (f'uid=orla,ou=dirsec,{DEFAULT_SUFFIX}',
f'uid=joe,ou=People,{DEFAULT_SUFFIX}'):
pwp.create_user_policy(dn_dn, policy_props)
pwp.create_subtree_policy(f'ou=People,{DEFAULT_SUFFIX}', policy_props)


def change_password(topo, user_password_new_pass_list):
"""
Will change password with self binding.
"""
for user, password, new_pass in user_password_new_pass_list:
real_user = UserAccount(topo.standalone, f'{user},{DEFAULT_SUFFIX}')
conn = real_user.bind(password)
UserAccount(conn, real_user.dn).replace('userpassword', new_pass)


def change_password_ultra_new(topo, user_password_new_pass_list):
"""
Will change password with self binding.
"""
for user, password, new_pass, ultra_new_pass in user_password_new_pass_list:
real_user = UserAccount(topo.standalone, f'{user},{DEFAULT_SUFFIX}')
conn = real_user.bind(password)
UserAccount(conn, real_user.dn).replace('userpassword', new_pass)
conn = real_user.bind(new_pass)
UserAccount(conn, real_user.dn).replace('userpassword', ultra_new_pass)


def change_password_with_admin(topo, user_password_new_pass_list):
"""
Will change password by root.
"""
for user, password in user_password_new_pass_list:
UserAccount(topo.standalone, f'{user},{DEFAULT_SUFFIX}').replace('userpassword', password)


@pytest.fixture(scope="function")
def _fixture_for_password_change(request, topo):
pwp = PwPolicyManager(topo.standalone)
orl = pwp.get_pwpolicy_entry(f'uid=orla,ou=dirsec,{DEFAULT_SUFFIX}')
for attribute in ('passwordMustChange', 'passwordmustchange'):
orl.replace(attribute, 'off')
assert orl.get_attr_val_utf8(attribute) == 'off'

def final_task():
people = pwp.get_pwpolicy_entry(f'ou=people,{DEFAULT_SUFFIX}')
people.replace('passwordchange', 'on')
assert people.get_attr_val_utf8('passwordchange') == 'on'
# Administrator Reseting to original password
change_password_with_admin(topo, [
('uid=joe,ou=people', '00j0e1'),
('uid=fred', '00fr3d1'),
('uid=jack,ou=people', '00j6ck1'),
('uid=deep,ou=others,ou=people', '00de3p1'),
('uid=orla,ou=dirsec', '000rla1'),
('uid=dbyers,ou=dirsec', 'Anuj')
])
request.addfinalizer(final_task)


def test_password_change_section(topo, _policy_setup, _fixture_for_password_change):
""" Password Change Section.

:id: 5d018c08-9388-11ea-8394-8c16451d917b
:setup: Standalone
:steps:
1. Confirm that user is not been affected by fine grained password
(As its is not belong to any password policy)
2. Should be able to change password(As its is not belong to any password policy)
3. Try to change password for user even though pw policy is set to no.
Should get error message: unwilling to Perform !
4. Set Password change to May Change Password.
5. Administrator Reseting to original password !
6. Attempt to Modify password to orla2 with an invalid first pw with error message.
7. Changing current password from orla1 to orla2
8. Changing current password from orla2 to orla1.
9. Set Password change to Must Not Change After Reset
10 Change password for joe,jack,deep even though pw policy is set to no with error message.
11. Fred can change.(Fred is not belong to any pw policy)
12. Changing pw policy to may change pw
13. Set Password change to May Change Password
14. Administrator Reseting to original password
15. Try to change password with invalid credentials. Should see error message.
16. Changing current password for joe and fed.
17. Changing current password for jack and deep with error message.(passwordchange not on)
18. Changing pw policy to may change pw
19. Set Password change to May Change Password
20. Administrator Reseting to original password
21. Try to change password with invalid credentials. Should see error message.
22. Changing current password
23. Set Password change to Must Not Change After Reset
24. Searching for passwordchange: Off
25. Administrator Reseting to original password
26. Try to change password with invalid credentials. Should see error message
27. Changing current password (('passwordchange', 'off') for joe)
:expected results:
1. Success(As its is not belong to any password policy)
2. Success
3. Fail(pw policy is set to no)
4. Success
5. Success
6. Fail(invalid first pw)
7. Success
8. Success
9. Success
10. Fail(pw policy is set to no)
11. Success((Fred is not belong to any pw policy))
12. Success
13. Success
14. Success
15. Fail(invalid credentials)
16. Success((passwordchange on))
17. Fail(passwordchange not on)
18. Success
19. Success
20. Success
21. Fail(invalid credentials)
22. Success
23. Success
24. Success
25. Success
26. Fail(invalid credentials)
27. Success
"""
# Confirm that uid=dbyers is not been affected by fine grained password
dbyers = UserAccount(topo.standalone, f'uid=dbyers,ou=dirsec,{DEFAULT_SUFFIX}')
conn = dbyers.bind('dby3rs1')
dbyers_conn = UserAccount(conn, f'uid=dbyers,ou=dirsec,{DEFAULT_SUFFIX}')
# Should be able to change password(As its is not belong to any password policy)
dbyers_conn.replace('userpassword', "Anuj")
# Try to change password for uid=orla even though pw policy is set to no.
# Should get error message: unwilling to Perform !
orla = UserAccount(topo.standalone, f'uid=orla,ou=dirsec,{DEFAULT_SUFFIX}')
conn = orla.bind('000rla1')
orla_conn = UserAccount(conn, f'uid=orla,ou=dirsec,{DEFAULT_SUFFIX}')
# pw policy is set to no
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
orla_conn.replace('userpassword', "000rla2")
pwp = PwPolicyManager(topo.standalone)
orl = pwp.get_pwpolicy_entry(f'uid=orla,ou=dirsec,{DEFAULT_SUFFIX}')
# Set Password change to May Change Password.
orl.replace('passwordchange', 'on')
assert orl.get_attr_val_utf8('passwordchange') == 'on'
# Administrator Reseting to original password !
orla.replace('userpassword', '000rla1')
# Attempt to Modify password to orla2 with an invalid first pw with error message.
with pytest.raises(ldap.INVALID_CREDENTIALS):
conn = orla.bind('Invalid_password')
# Changing current password from orla1 to orla2
orla_conn.replace('userpassword', '000rla2')
# Changing current password from orla2 to orla1.
orla_conn = UserAccount(conn, f'uid=orla,ou=dirsec,{DEFAULT_SUFFIX}')
orla_conn.replace('userpassword', '000rla1')
# Set Password change to Must Not Change After Reset
joe = pwp.get_pwpolicy_entry(f'uid=joe,ou=people,{DEFAULT_SUFFIX}')
people = pwp.get_pwpolicy_entry(f'ou=people,{DEFAULT_SUFFIX}')
joe.replace_many(('passwordmustchange', 'off'), ('passwordchange', 'off'))
people.replace_many(('passwordmustchange', 'off'), ('passwordchange', 'off'))
for attr in ['passwordMustChange', 'passwordchange']:
assert joe.get_attr_val_utf8(attr) == 'off'
for attr in ['passwordMustChange', 'passwordchange']:
assert people.get_attr_val_utf8(attr) == 'off'
# Change password for uid,joe,jack,deep even though pw policy is set to no with error message.
for user, password, pass_to_change in [
('joe', '00j0e1', '00j0e2'),
('jack', '00j6ck1', '00j6ck2'),
('deep,ou=others', '00de3p1', '00de3p2')
]:
real_user = UserAccount(topo.standalone, f'uid={user},ou=people,{DEFAULT_SUFFIX}')
conn = real_user.bind(password)
real_conn = UserAccount(conn, real_user.dn)
# pw policy is set to no
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
real_conn.replace('userpassword', pass_to_change)
real_user = UserAccount(topo.standalone, f'uid=fred,{DEFAULT_SUFFIX}')
conn = real_user.bind('00fr3d1')
# Fred can change.(Fred is not belong to any pw policy)
real_conn = UserAccount(conn, real_user.dn)
real_conn.replace('userpassword', '00fr3d2')
# Changing pw policy to may change pw
# Set Password change to May Change Password
joe = pwp.get_pwpolicy_entry(f'uid=joe,ou=people,{DEFAULT_SUFFIX}')
joe.replace('passwordchange', 'on')
assert joe.get_attr_val_utf8('passwordchange') == 'on'
# Administrator Reseting to original password
change_password_with_admin(topo, [
('uid=joe,ou=people', '00j0e1'),
('uid=jack,ou=people', '00j6ck1'),
('uid=fred', '00fr3d1'),
('uid=deep,ou=others,ou=people', '00de3p1')
])
# Try to change password with invalid credentials. Should see error message.
for user in [
'uid=joe,ou=people',
'uid=jack,ou=people',
'uid=fred',
'uid=deep,ou=others,ou=people'
]:
with pytest.raises(ldap.INVALID_CREDENTIALS):
UserAccount(topo.standalone, f'{user},{DEFAULT_SUFFIX}').bind("bad")
# Changing current password for joe and fed.
for user, password, new_pass in [
('uid=joe,ou=people', '00j0e1', '00j0e2'),
('uid=fred', '00fr3d1', '00fr3d2')
]:
real_user = UserAccount(topo.standalone, f'{user},{DEFAULT_SUFFIX}')
conn = real_user.bind(password)
UserAccount(conn, real_user.dn).replace('userpassword', new_pass)
# Changing current password for jack and deep with error message.(passwordchange not on)
for user, password, new_pass in [
('uid=jack,ou=people', '00j6ck1', '00j6ck2'),
('uid=deep,ou=others,ou=people', '00de3p1', '00de3p2')
]:
real_user = UserAccount(topo.standalone, f'{user},{DEFAULT_SUFFIX}')
conn = real_user.bind(password)
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
UserAccount(conn, real_user.dn).replace('userpassword', new_pass)
# Changing pw policy to may change pw
# Set Password change to May Change Password
people.replace('passwordchange', 'on')
assert people.get_attr_val_utf8('passwordchange') == 'on'
# Administrator Reseting to original password
change_password_with_admin(topo, [
('uid=joe,ou=people', '00j0e1'),
('uid=jack,ou=people', '00j6ck1'),
('uid=fred', '00fr3d1'),
('uid=deep,ou=others,ou=people', '00de3p1')
])
# Try to change password with invalid credentials. Should see error message.
for user in [
'uid=joe,ou=people',
'uid=jack,ou=people',
'uid=fred',
'uid=deep,ou=others,ou=people'
]:
with pytest.raises(ldap.INVALID_CREDENTIALS):
UserAccount(topo.standalone, f'{user},{DEFAULT_SUFFIX}').bind("bad")
# Changing current password
change_password(topo, [
('uid=joe,ou=people', '00j0e1', '00j0e2'),
('uid=fred', '00fr3d1', '00fr3d2'),
('uid=jack,ou=people', '00j6ck1', '00j6ck2'),
('uid=deep,ou=others,ou=people', '00de3p1', '00de3p2')
])
# Set Password change to Must Not Change After Reset
joe.replace('passwordchange', 'off')
assert joe.get_attr_val_utf8('passwordchange') == 'off'
# Administrator Reseting to original password
change_password_with_admin(topo, [
('uid=joe,ou=people', '00j0e1'),
('uid=fred', '00fr3d1'),
('uid=jack,ou=people', '00j6ck1'),
('uid=deep,ou=others,ou=people', '00de3p1')
])
# Try to change password with invalid credentials. Should see error message
for user in [
'uid=joe,ou=people',
'uid=jack,ou=people',
'uid=fred',
'uid=deep,ou=others,ou=people'
]:
with pytest.raises(ldap.INVALID_CREDENTIALS):
UserAccount(topo.standalone, f'{user},{DEFAULT_SUFFIX}').bind("bad")
# Changing current password
change_password(topo, [
('uid=fred', '00fr3d1', '00fr3d2'),
('uid=jack,ou=people', '00j6ck1', '00j6ck2'),
('uid=deep,ou=others,ou=people', '00de3p1', '00de3p2')
])
# ('passwordchange', 'off') for joe
real_user = UserAccount(topo.standalone, f'uid=joe,ou=people,{DEFAULT_SUFFIX}')
conn = real_user.bind('00j0e1')
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
UserAccount(conn, real_user.dn).replace('userpassword', '00j0e2')


@pytest.fixture(scope="function")
def _fixture_for_syntax_section(request, topo):
change_password_with_admin(topo, [
('uid=joe,ou=people', '00j0e1'),
('uid=fred', '00fr3d1'),
('uid=jack,ou=people', '00j6ck1'),
('uid=deep,ou=others,ou=people', '00de3p1'),
('uid=orla,ou=dirsec', '000rla1'),
('uid=dbyers,ou=dirsec', 'Anuj')
])
pwp = PwPolicyManager(topo.standalone)
orl = pwp.get_pwpolicy_entry(f'uid=orla,ou=dirsec,{DEFAULT_SUFFIX}')
joe = pwp.get_pwpolicy_entry(f'uid=joe,ou=people,{DEFAULT_SUFFIX}')
people = pwp.get_pwpolicy_entry(f'ou=people,{DEFAULT_SUFFIX}')
for instance in [orl, joe, people]:
instance.replace('passwordchecksyntax', 'on')
instance.replace('passwordChange', 'on')
assert instance.get_attr_val_utf8('passwordchecksyntax') == 'on'

def final_step():
for instance1 in [orl, joe, people]:
instance1.replace('passwordminlength', '6')
change_password_with_admin(topo, [
('uid=orla,ou=dirsec', '000rLb1'),
('uid=joe,ou=people', '00J0e1'),
('uid=jack,ou=people', '00J6ck1'),
('uid=deep,ou=others,ou=people', '00De3p1'),
('uid=dbyers,ou=dirsec', 'dby3rs1'),
('uid=fred', '00fr3d1')
])

request.addfinalizer(final_step)


def test_password_syntax_section(topo, _policy_setup, _fixture_for_syntax_section):
""" Password Syntax Section.

:id: 7bf1cb46-9388-11ea-9019-8c16451d917b
:setup: Standalone
:steps:
1. Try to change password with invalid credentials. Should get error (invalid cred).
2. Try to change to a password that violates length. Should get error (constaint viol.).
3. Attempt to Modify password to db which is in error to policy
4. Changing password minimum length to 5 to check triviality
5. Try to change password to the value of uid, which is trivial. Should get error.
6. Try to change password to givenname which is trivial. Should get error
7. Try to change password to sn which is trivial. Should get error
8. Changing password minimum length back to 6
9. Changing current password from *1 to *2
10. Changing current password from *2 to *1
11. Changing current password to the evil password
12. Resetting to original password as cn=directory manager
13. Setting policy to NOT Check Password Syntax
14. Test that when checking syntax is off, you can use small passwords
15. Test that when checking syntax is off, trivial passwords can be used
16. Resetting to original password as cn=directory manager
17. Changing password minimum length from 6 to 10
18. Setting policy to Check Password Syntax again
19. Try to change to a password that violates length
20. Change to a password that meets length requirement
:expected results:
1. Fail(invalid cred)
2. Fail(constaint viol.)
3. Fail(Syntax error)
4. Success
5. Fail(trivial)
6. Fail(password to givenname )
7. Success
8. Success
9. Success
10. Success
11. Fail(evil password)
12. Success
13. Success
14. Success
15. Success
16. Success
17. Success
18. Success
19. Fail(violates length)
20. Success
"""
# Try to change password with invalid credentials. Should get error (invalid cred).
for user in [
'uid=joe,ou=people',
'uid=jack,ou=people',
'uid=fred',
'uid=deep,ou=others,ou=people',
'uid=dbyers,ou=dirsec',
'uid=orla,ou=dirsec'
]:
with pytest.raises(ldap.INVALID_CREDENTIALS):
UserAccount(topo.standalone, f'{user},{DEFAULT_SUFFIX}').bind("bad")
# Try to change to a password that violates length. Should get error (constaint viol.).
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
change_password(topo, [
('uid=orla,ou=dirsec', '000rla1', 'db'),
('uid=joe,ou=people', '00j0e1', 'db'),
('uid=jack,ou=people', '00j6ck1', 'db'),
('uid=deep,ou=others,ou=people', '00de3p1', 'db')
])
# Attempt to Modify password to db which is in error to policy(Syntax error)
change_password_ultra_new(topo, [
('uid=dbyers,ou=dirsec', 'Anuj', 'db', 'dby3rs1'),
('uid=fred', '00fr3d1', 'db', '00fr3d1')
])
# Changing password minimum length to 5 to check triviality
pwp = PwPolicyManager(topo.standalone)
orl = pwp.get_pwpolicy_entry(f'uid=orla,ou=dirsec,{DEFAULT_SUFFIX}')
joe = pwp.get_pwpolicy_entry(f'uid=joe,ou=people,{DEFAULT_SUFFIX}')
people = pwp.get_pwpolicy_entry(f'ou=people,{DEFAULT_SUFFIX}')
for instance in [orl, joe, people]:
instance.replace('passwordminlength', '5')
# Try to change password to the value of uid, which is trivial. Should get error.
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
change_password(topo, [
('uid=orla,ou=dirsec', '000rla1', 'orla'),
('uid=joe,ou=people', '00j0e1', 'joe'),
('uid=jack,ou=people', '00j6ck1', 'jack'),
('uid=deep,ou=others,ou=people', '00de3p1', 'deep')
])
# dbyers and fred can change
change_password_ultra_new(topo, [
('uid=dbyers,ou=dirsec', 'dby3rs1', 'dbyers', 'dby3rs1'),
('uid=fred', '00fr3d1', 'fred', '00fr3d1')
])
# Try to change password to givenname which is trivial. Should get error
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
change_password(topo, [
('uid=orla,ou=dirsec', '000rla1', 'orla'),
('uid=joe,ou=people', '00j0e1', 'joe'),
('uid=jack,ou=people', '00j6ck1', 'jack'),
('uid=deep,ou=others,ou=people', '00de3p1', 'deep')
])
# dbyers and fred can change
change_password_ultra_new(topo, [
('uid=dbyers,ou=dirsec', 'dby3rs1', 'danny', 'dby3rs1'),
('uid=fred', '00fr3d1', 'fred', '00fr3d1')
])
# Try to change password to sn which is trivial. Should get error
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
change_password(topo, [
('uid=orla,ou=dirsec', '000rla1', 'Hegarty'),
('uid=joe,ou=people', '00j0e1', 'Rath'),
('uid=jack,ou=people', '00j6ck1', 'Rath'),
('uid=deep,ou=others,ou=people', '00de3p1', 'Blue')
])
# dbyers and fred can change
change_password_ultra_new(topo, [
('uid=dbyers,ou=dirsec', 'dby3rs1', 'Byers', 'dby3rs1'),
('uid=fred', '00fr3d1', 'Byers', '00fr3d1')
])
# Changing password minimum length back to 6
for instance1 in [orl, joe, people]:
instance1.replace('passwordminlength', '6')
# Changing current password from *1 to *2
change_password(topo, [
('uid=orla,ou=dirsec', '000rla1', '000rLb2'),
('uid=dbyers,ou=dirsec', 'dby3rs1', 'dby3rs2'),
('uid=fred', '00fr3d1', '00fr3d2'),
('uid=joe,ou=people', '00j0e1', '00J0e2'),
('uid=jack,ou=people', '00j6ck1', '00J6ck2'),
('uid=deep,ou=others,ou=people', '00de3p1', '00De3p2')
])
# Changing current password from *2 to *1
change_password(topo, [
('uid=orla,ou=dirsec', '000rLb2', '000rLb1'),
('uid=dbyers,ou=dirsec', 'dby3rs2', 'dby3rs1'),
('uid=fred', '00fr3d2', '00fr3d1'),
('uid=joe,ou=people', '00J0e2', '00J0e1'),
('uid=jack,ou=people', '00J6ck2', '00J6ck1'),
('uid=deep,ou=others,ou=people', '00De3p2', '00De3p1')
])
# Changing current password to the evil password
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
change_password(topo, [
('uid=orla,ou=dirsec', '000rLb1', r'{\;\\].'),
('uid=joe,ou=people', '00J0e1', r'{\;\\].'),
('uid=jack,ou=people', '00J6ck1', r'{\;\\].'),
('uid=deep,ou=others,ou=people', '00De3p1', r'{\;\\].')
])
# dbyers and fred can change
change_password(topo, [
('uid=dbyers,ou=dirsec', 'dby3rs1', r'{\;\\].'),
('uid=fred', '00fr3d1', r'{\;\\].')
])
# Resetting to original password as cn=directory manager
change_password_with_admin(topo, [
('uid=orla,ou=dirsec', '000rLb1'),
('uid=joe,ou=people', '00J0e1'),
('uid=jack,ou=people', '00J6ck1'),
('uid=deep,ou=others,ou=people', '00De3p1'),
('uid=dbyers,ou=dirsec', 'dby3rs1'),
('uid=fred', '00fr3d1')
])
# Setting policy to NOT Check Password Syntax
# Searching for passwordminlength
for instance in [orl, joe, people]:
instance.replace('passwordchecksyntax', 'off')
for instance in [orl, joe, people]:
assert instance.get_attr_val_utf8('passwordchecksyntax') == 'off'
assert instance.get_attr_val_utf8('passwordminlength') == '6'
# Test that when checking syntax is off, you can use small passwords
change_password(topo, [
('uid=orla,ou=dirsec', '000rLb1', 'db'),
('uid=joe,ou=people', '00J0e1', 'db'),
('uid=jack,ou=people', '00J6ck1', 'db'),
('uid=deep,ou=others,ou=people', '00De3p1', 'db'),
('uid=dbyers,ou=dirsec', 'dby3rs1', 'db'),
('uid=fred', '00fr3d1', 'db')
])
# Test that when checking syntax is off, trivial passwords can be used
change_password(topo, [
('uid=orla,ou=dirsec', 'db', 'orla'),
('uid=joe,ou=people', 'db', 'joe'),
('uid=jack,ou=people', 'db', 'jack'),
('uid=deep,ou=others,ou=people', 'db', 'deep'),
('uid=dbyers,ou=dirsec', 'db', 'dbyers'),
('uid=fred', 'db', 'fred')
])
# Resetting to original password as cn=directory manager
change_password_with_admin(topo, [
('uid=orla,ou=dirsec', '000rLb1'),
('uid=joe,ou=people', '00J0e1'),
('uid=jack,ou=people', '00J6ck1'),
('uid=deep,ou=others,ou=people', '00De3p1'),
('uid=dbyers,ou=dirsec', 'dby3rs1'),
('uid=fred', '00fr3d1')
])
# Changing password minimum length from 6 to 10
# Setting policy to Check Password Syntax again
for instance in [orl, joe, people]:
instance.replace_many(
('passwordchecksyntax', 'on'),
('passwordminlength', '10'))
# Try to change to a password that violates length
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
change_password(topo, [
('uid=orla,ou=dirsec', '000rLb1', 'db'),
('uid=joe,ou=people', '00J0e1', 'db'),
('uid=jack,ou=people', '00J6ck1', 'db'),
('uid=deep,ou=others,ou=people', '00De3p1', 'db')
])
# dbyers and fred can change as it does not belong to any pw policy
change_password(topo, [
('uid=dbyers,ou=dirsec', 'dby3rs1', 'db'),
('uid=fred', '00fr3d1', 'db')
])
# Change to a password that meets length requirement
change_password(topo, [
('uid=orla,ou=dirsec', '000rLb1', 'This_IS_a_very_very_long_password'),
('uid=joe,ou=people', '00J0e1', 'This_IS_a_very_very_long_password'),
('uid=jack,ou=people', '00J6ck1', 'This_IS_a_very_very_long_password'),
('uid=deep,ou=others,ou=people', '00De3p1', 'This_IS_a_very_very_long_password'),
('uid=dbyers,ou=dirsec', 'db', 'This_IS_a_very_very_long_password'),
('uid=fred', 'db', 'This_IS_a_very_very_long_password')
])


if __name__ == "__main__":
CURRENT_FILE = os.path.realpath(__file__)
pytest.main("-s -v %s" % CURRENT_FILE)

Loading…
Cancel
Save